The CL is a prerequisite for the shared cage. Instead of storing
state variables (is_incremental_marking_in_progress,
is_young_generation_enabled) in the cage metadata, the CL moves them to
HeapHandle. The HeapHandle pointer is now retrieved from page-headers.
To make sure that the write-barrier code is better optimized, the
HeapHandle definition is moved to internal/ headers. The part of
BasePage that contains HeapBase (i.e. HeapHandle) pointer is also
extracted and moved to the headers.
Bug: v8:12231
Change-Id: I44bf65d99a621d9548e4250386cf87476ca186ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3689730
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81005}
We introduce a Turbofan pass which optimizes wasm-gc nodes based on
the types of their inputs.
Bug: v8:7748
Change-Id: I281eb0785e9e4201ef925ec201d76dc3d274ad05
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3679198
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80929}
Use the existing {base::Optional} instead of the extra {MaybeBoolFlag}
struct. This makes writing to a maybe-flag simpler because you just
write a boolean value and that automatically initializes the optional.
R=cbruni@chromium.org
Bug: v8:12887
Change-Id: I940d20286d65ba4355dc04b4b6068a306706f295
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3686412
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80915}
We introduce a typing phase into the Turbofan compilation pipeline for
wasm-gc. It has two functionalities: (1) to type nodes that were not
typed during code generation (mainly phi nodes) and (2) to narrow types
as much as possible.
The following nodes are handled, which should be enough for our
purposes: TypeGuard, WasmTypeCast, AssertNotNull, Phi, LoadFromObject,
and LoadImmutableFromObject.
Loop phi types are computed by first assigning the type of the
non-recursive input, and updating once we have the type of the recursive
inputs, and repeating this process to a fixed point.
Drive-by: Remove the narrowing of function signatures during wasm
inlining, as it created some issues and should not be needed after this
series of changes.
Bug: v8:7748
Change-Id: I8a72488d5c221c4ae8257fc5abf6f0368cf10e96
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3678208
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80912}
This is a reland of commit ea9a1f1cbe
Changes since revert:
- Make the state field uintptr-aligned since arm64 faults on
atomic accesses to non-naturally aligned addresses.
Original change's description:
> [shared-struct] Add Atomics.Mutex
>
> This CL adds a moving GC-safe, JS-exposed mutex behind the
> --harmony-struct flag. It uses a ParkingLot-inspired algorithm and
> each mutex manages its own waiter queue.
>
> For more details, please see the design doc: https://docs.google.com/document/d/1QHkmiTF770GKxtoP-VQ1eKF42MpedLUeqiQPfCqus0Y/edit?usp=sharing
>
> Bug: v8:12547
> Change-Id: Ic58f8750d2e14ecd573173d17d5235a136bedef9
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3595460
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80789}
Bug: v8:12547
Change-Id: I776cbf6ea860dcc6cb0ac51694a9b584b53d255c
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3673354
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80875}
Add a new late escape analysis pass to JS late optimizations.
The new pass simply removes allocations that are not used (besides
initializing stores to the object).
Bug: v8:12200
Change-Id: I01fc6233cca2f369c77ff2116ed7c4da1a232d95
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3677298
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80862}
The fuzzer runs the same wire bytes through the streaming decoder and
through synchronous compilation, and compares the result. In particular,
if one fails, then also the other should fail.
More checks for the result of both pipelines can be added later.
R=ahaas@chromium.org
Bug: v8:12922
Change-Id: I905adf740e581c4b7d0f4ab7c0d5d0e48d96fc4c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3675100
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80842}
This CL adds a moving GC-safe, JS-exposed mutex behind the
--harmony-struct flag. It uses a ParkingLot-inspired algorithm and
each mutex manages its own waiter queue.
For more details, please see the design doc: https://docs.google.com/document/d/1QHkmiTF770GKxtoP-VQ1eKF42MpedLUeqiQPfCqus0Y/edit?usp=sharing
Bug: v8:12547
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Change-Id: Ic58f8750d2e14ecd573173d17d5235a136bedef9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3595460
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80789}
We want to use llvm-ml to assemble files on Windows, but it only
recognizes .asm files as input files. See
https://chromium-review.googlesource.com/c/v8/v8/+/3668287.
Change-Id: I34ff6d2693a34653c8e22a7c2d093853505cd455
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3672420
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80782}
Currently, llvm-ml only assembles files that have the .asm extension, so
push_registers_masm.S fails to get assembled. This CL changes the
extension of the x86 and x64 push_registers_masm.S files to .asm.
I'll work on a patch to support assembling files with the .S extension
in llvm-ml, but in the meantime, we should probably rename the files as
it is customary for Intel syntax assembly files to have the .asm
extension[0].
ARM assembly files don't use llvm-ml, so we don't need to rename them.
[0]: https://stackoverflow.com/a/34098830
Change-Id: Ie4db42b78dd358c3ec0de83e9518aa5c60f6d175
Bug: chromium:762167
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3668287
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80772}
We introduce wasm-gc specific nodes into the Turbofan IR, corresponding
to the wasm opcodes:
ref.as_non_null, ref.is_null, ref.null, rtt.canon, ref.test, ref.cast.
We define them as simplified operators. These are lowered by a dedicated
phase in the wasm pipeline.
Optimizations based on these nodes will be introduced later.
Note: We rename ObjectReferenceKnowledge to WasmTypeCheckConfig and move
it to a separate file, as it is now used in simplified-operator as well.
Bug: v8:7748
Change-Id: Iceaf04eca089b08bad794f567359196e8ba78d93
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3654102
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80746}
V8_SANDBOX has been renamed to V8_ENABLE_SANDBOX in crrev.com/c/3647355
and its remaining uses in Chromium have now been renamed as well.
Bug: v8:10391
Change-Id: Ibb23ecab6687438b462685ef7fa044c0024dd098
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3660251
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80739}
Bug: v8:12868
Also adds wtf8.cc, wtf8.h to src/wasm, to implement WTF-8 validation and
possibly other utilities. Also fixes a bug when parsing the string
literals section; I had misunderstood the way the unordered/ordered
sections mechanism worked.
Change-Id: I3c4205e0872379a69575f84ba33e0090a9d8d656
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652789
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80674}
Before: when cet is disabled v8_shell is marked with the
cetcompat bit, which breaks the chromium build on cet
machines.
With this CL: v8_shell is not marked as cetcompat unless
v8_enable_cet_shadow_stacks is true.
Bug: chromium:1289318
Change-Id: If8a79ac5288a9a3385bf6b692db566508cca248f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3656146
Commit-Queue: Alex Gough <ajgo@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80673}
When enabled, this API exposes a new global 'Sandbox' object which
contains a number of functions and objects that in effect emulate
typical memory corruption primitives constructed by exploits. In
particular, the 'MemoryView' constructor can construct ArrayBuffers
instances that can corrupt arbitrary memory inside the sandbox. Further,
the getAddressOf(obj) and getSizeInBytesOf(obj) functions can be used
respectively to obtain the address (relative to the base of the sandbox)
and size of any HeapObject that can be accessed from JavaScript.
This API is useful for testing the sandbox, for example to
facilitate developing PoC sandbox escapes or writing regression tests.
In the future, it may also be used by custom V8 sandbox fuzzers.
Bug: v8:12878
Change-Id: I4e420b2ff28bd834b0693f1546942e51c71bfdda
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650718
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80659}
Bug: v8:12868
A slight modification to the existing DFA-based UTF-8 allocator to allow
decoding surrogates, for use in decoding WTF-8. We'll need to
additionally constrain the decoder to disallow surrogate pairs.
Change-Id: Ifddbf08d4eeeff8f270df52a68f01769ea790eec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652787
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80654}
With crrev.com/c/3641564, Chromium now uses PartitionAlloc for
ArrayBuffer allocations even if one of the sanizier tools (e.g. ASan) is
enabled. As such, sanitizer builds are now compatible with the sandbox.
Bug: chromium:1218005
Change-Id: I100bf3ef442c556652fb00dd6c09d06b167e6577
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652785
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80653}
We currently have a BitVector implementation which is used a lot by the
two (mid-tier and top-tier) register allocators. Their size is the
number of virtual registers or the number of blocks in the function. If
one of those numbers gets huge, the BitVector does not perform well any
more, and it consumes huge amounts of memory (we see up to several GBs
for huge Wasm functions).
This CL introduces a SparseBitVector implementation with a compatible
interface, meant to replace the BitVector implementation. Usages will be
introduced in follow-up CLs, first for the mid-tier allocator, then
top-tier. This will allow us to assess performance changes better, and
revert individual usages.
R=mslekova@chromium.org
Bug: chromium:1313379, v8:12780
Change-Id: I804311e0c188526961f70e88a43dd1ea26497cda
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3634780
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80546}
This CL adds to the existing experimental implementation of the
object start bitmap, that is evaluated as a mechanism for resolving
inner pointers (behind the flag v8_enable_conservative_stack_scanning).
It fixes method ObjectStartBitmap::FindBasePtr to ensure that the
correct base pointer is returned, even if the bitmap is not fully
populated (e.g., with object evacuation or inline object allocation).
This method now recalculates the part of the bitmap that is
required for returning the correct result, by iterating through
objects of the page. A special constructor has been introduced to the
PagedSpaceObjectIterator for this purpose.
It also moves the existing inline methods of ObjectStartBitmap to a
new -inl.h header file, to avoid circular dependencies.
Bug: v8:12851
Change-Id: Iabd0df020bee3bb63ef9d4888591b25d24d79dd9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3641179
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80538}
This is more consistent with similar features, for example
V8_ENABLE_WEBASSEMBLY or V8_ENABLE_MAGLEV.
Drive-by: remove V8_SANDBOX_IS_AVAILABLE as it's no longer needed.
Bug: v8:10391
Change-Id: I8658c5b0c331a4c73892737083b2c2f9b8f84056
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647355
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80530}
This introduces a class which can be used for formatting dynamic values
into a constant-size, stack-allocated array. You get ostream-style code
but printf-style performance, and in particular no dynamic allocation.
This makes this class also suitable to be used in OOM or other fatal
situations where we cannot rely on dynamic memory allocation to still
work.
Using FormattedString will automatically compute the format string
depending on the types. It also computes the maximum size of the output.
Last but not least, it makes the code a lot more readable than
traditional printf style printing.
R=mlippautz@chromium.org
Bug: chromium:1323177
Change-Id: I47228b3603c694c1fa23516dd3f1c57e39c0ca35
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644622
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80529}
With this CL, the decompression simply becomes:
movsxd rax, edi
add rax, rax
and rax, qword ptr fs:[base@TPOFF]
Bug: chromium:1325007
Change-Id: I931e4e667a9b9697671bccf14575420f8cb705e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3629871
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80521}
With caged heap enabled, we can halve Member<> by storing only the least
significant half. The base of the heap is stored in a thread local
variable. The feature has therefore an implication that only single heap
is allowed per thread.
The feature is gated by the new GN arg:
cppgc_enable_pointer_compression.
Bug: chromium:1325007
Change-Id: Ic7f1ecb7b9ded57caad63d95bbc8e8ad6ad65031
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2739979
Reviewed-by: Almothana Athamneh <almuthanna@chromium.org>
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80518}
This CL separates logic for promoting all of new space during fast
promotion out of the heap and into a new dedicated
PromoteYoungGenerationGC class.
It currently assumes SemiSpaceNewSpace and will need to be extended with
support for PagedNewSpace.
Bug: v8:12612
Change-Id: I0e65c034b444634a31b3c00df0a4b558612f023f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644610
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80492}
They are causing failures in the Linux ChromiumOS MSan bot.
Bug: chromium:1324301
Change-Id: I7a7bcd111a9f0e0e652d38e107027c51e51bd4bc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3639205
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80463}
This way we can use it later in the pipeline for optimizations.
Change-Id: I0e97d061fd3d474ca7033ed2b68f43b52617d3e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3634961
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80437}
This CL cleans up the existing experimental implementation of
conservative stack scanning. It retains the object start bitmap, to
evaluate it as a mechanism for resolving inner pointers, and the
conservative stack scanning visitor (which is currently not used).
The flag v8_enable_conservative_stack_scanning is kept and will be
used for experimental purposes. It currently does not imply any
other flag.
Bug: v8:10614
Bug: v8:12851
Change-Id: Id0ae0f437ed2601eed9ec634d2d1dd2f030d814e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3602516
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80365}
To be consistent with the all the other tiers and avoid confusion, we
rename --opt to ---turbofan, and --always-opt to --always-turbofan.
Change-Id: Ie23dc8282b3fb4cf2fbf73b6c3d5264de5d09718
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3610431
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80336}
The ubsan failures were fixed by 99e90c55f4.
Bug: chromium:1029379
Change-Id: Iec334388de7faf8a47e6d607501a2f1298a441a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3623540
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80335}
This change adds support for computing SHA-256 hashes in the stack
output of errors by adding a function to the prototype of the
`CallSite` object, passed to `Error.prepareStackTrace`. Additionally,
it updates the `hash` property from `Debugger.scriptParsed` and
`Debugger.scriptFailedToParse` to be SHA-256 instead of the
proprietary hash it is today.
It is intended to be an advancement in indexing source maps to
support improved tooling, especially for post-hoc or in-production
diagnostics scenarios.
The explainer can be found here:
https://docs.google.com/document/d/13hNeeLC2Ve_FVieNndZUUUP15x2O4ltvjnGWwOsMlrU/edit?usp=sharing
Change-Id: Ifbbed4b22c8256e74e6d79974d2dd1e444143eda
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3229957
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Robert Paveza <Rob.Paveza@microsoft.com>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80320}
Oilpan Young Generation is now controlled by the runtime flag
--cppgc-young-generation.
Bug: chromium:1029379
Change-Id: I9ded9637f43a2f86993cff898cd7f272a051ae3c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3616728
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80312}
This is a reland of commit 9145388055
Fixed: properly reference the ClearedValue in CSA (i.e. without
the cage_base upper 32 bits).
Original change's description:
> Reland "[osr] Use the new OSR cache"
>
> This is a reland of commit 91da38831d
>
> Fixed: Use an X register for JumpIfCodeTIsMarkedForDeoptimization
> on arm64.
>
> Original change's description:
> > [osr] Use the new OSR cache
> >
> > This CL switches over our OSR system to be based on the feedback
> > vector osr caches.
> >
> > - OSRing to Sparkplug is fully separated from OSR urgency. If
> > SP code exists, we simply jump to it, no need to maintain an
> > installation request.
> > - Each JumpLoop checks its dedicated FeedbackVector cache slot.
> > If a valid target code object exists, we enter it *without*
> > calling into runtime to fetch the code object.
> > - Finally, OSR urgency still remains as the heuristic for
> > requesting Turbofan OSR compile jobs. Note it no longer has a
> > double purpose of being a generic untargeted installation
> > request.
> >
> > With the new system in place, we can remove now-unnecessary
> > hacks:
> >
> > - Early OSR tierup is replaced by the standard OSR system. Any
> > present OSR code is automatically entered.
> > - The synchronous OSR compilation fallback is removed. With
> > precise installation (= per-JumpLoop-bytecode) we no longer
> > have the problem of 'getting unlucky' with JumpLoop/cache entry
> > mismatches. Execution has moved on while compiling? Simply spawn
> > a new concurrent compile job.
> > - Remove the synchronous (non-OSR) Turbofan compile request now
> > that we always enter available OSR code as early as possible.
> > - Tiering into Sparkplug no longer messes with OSR state.
> >
> > Bug: v8:12161
> > Change-Id: I0a85e53d363504b7dac174dbaf69c03c35e66700
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3596167
> > Commit-Queue: Jakob Linke <jgruber@chromium.org>
> > Auto-Submit: Jakob Linke <jgruber@chromium.org>
> > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> > Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#80147}
>
> Bug: v8:12161
> Change-Id: Ib3597cf1d99cdb5d0f2c5ac18e311914f376231d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3606232
> Auto-Submit: Jakob Linke <jgruber@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80167}
Bug: v8:12161,chromium:1320189
Change-Id: Ibd9a2ab61f51ebb32a3f5a66f7c602faead71c3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3620273
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80306}
This reverts commit 9145388055.
Reason for revert: Breaking the Fuchsia Deterministic Builder
Original change's description:
> Reland "[osr] Use the new OSR cache"
>
> This is a reland of commit 91da38831d
>
> Fixed: Use an X register for JumpIfCodeTIsMarkedForDeoptimization
> on arm64.
>
> Original change's description:
> > [osr] Use the new OSR cache
> >
> > This CL switches over our OSR system to be based on the feedback
> > vector osr caches.
> >
> > - OSRing to Sparkplug is fully separated from OSR urgency. If
> > SP code exists, we simply jump to it, no need to maintain an
> > installation request.
> > - Each JumpLoop checks its dedicated FeedbackVector cache slot.
> > If a valid target code object exists, we enter it *without*
> > calling into runtime to fetch the code object.
> > - Finally, OSR urgency still remains as the heuristic for
> > requesting Turbofan OSR compile jobs. Note it no longer has a
> > double purpose of being a generic untargeted installation
> > request.
> >
> > With the new system in place, we can remove now-unnecessary
> > hacks:
> >
> > - Early OSR tierup is replaced by the standard OSR system. Any
> > present OSR code is automatically entered.
> > - The synchronous OSR compilation fallback is removed. With
> > precise installation (= per-JumpLoop-bytecode) we no longer
> > have the problem of 'getting unlucky' with JumpLoop/cache entry
> > mismatches. Execution has moved on while compiling? Simply spawn
> > a new concurrent compile job.
> > - Remove the synchronous (non-OSR) Turbofan compile request now
> > that we always enter available OSR code as early as possible.
> > - Tiering into Sparkplug no longer messes with OSR state.
> >
> > Bug: v8:12161
> > Change-Id: I0a85e53d363504b7dac174dbaf69c03c35e66700
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3596167
> > Commit-Queue: Jakob Linke <jgruber@chromium.org>
> > Auto-Submit: Jakob Linke <jgruber@chromium.org>
> > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> > Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#80147}
>
> Bug: v8:12161
> Change-Id: Ib3597cf1d99cdb5d0f2c5ac18e311914f376231d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3606232
> Auto-Submit: Jakob Linke <jgruber@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80167}
Bug: v8:12161
Change-Id: I73e2d98660e9edfbe07a152a14402380ea9227de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3615219
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Owners-Override: Deepti Gandluri <gdeepti@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80287}
Introduce get_hints.py and combine_hints.py in order to make
the interpretation of basic block counts into hints more
configurable and explicit, as well as allowing more accurate
and consistent methods of combining multiple profiles.
get_hints.py allows for the minimum count and threshold ratio
values to be easily altered for different profiles, while
combine_hints.py allows the hints produced from different
benchmarks and threshold values to be easily and sensibly
combined.
Simply summing together basic block counts from different
benchmarks could previously lead to a longer running benchmark
overshadowing multiple shorter benchmarks with conflicting
hints.
Allowing alteration of the current threshold values gives a
doubling of performance, while the new method of combining
distinct profiles can double the performance improvement of the
secondary benchmark while losing as little as 4% of the
improvement gained in the primary benchmark.
Design doc: https://docs.google.com/document/d/1OhwZnIZom47IX0lyceyt-S9i8AApDB0UqJdvQD6NuKQ/edit?usp=sharing
Bug: v8:10470
Change-Id: I1c09d1eabfdda5ed6794592e2c13ff8b461be361
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545181
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: George Wort <george.wort@arm.com>
Cr-Commit-Position: refs/heads/main@{#80282}
This is a reland of commit 91da38831d
Fixed: Use an X register for JumpIfCodeTIsMarkedForDeoptimization
on arm64.
Original change's description:
> [osr] Use the new OSR cache
>
> This CL switches over our OSR system to be based on the feedback
> vector osr caches.
>
> - OSRing to Sparkplug is fully separated from OSR urgency. If
> SP code exists, we simply jump to it, no need to maintain an
> installation request.
> - Each JumpLoop checks its dedicated FeedbackVector cache slot.
> If a valid target code object exists, we enter it *without*
> calling into runtime to fetch the code object.
> - Finally, OSR urgency still remains as the heuristic for
> requesting Turbofan OSR compile jobs. Note it no longer has a
> double purpose of being a generic untargeted installation
> request.
>
> With the new system in place, we can remove now-unnecessary
> hacks:
>
> - Early OSR tierup is replaced by the standard OSR system. Any
> present OSR code is automatically entered.
> - The synchronous OSR compilation fallback is removed. With
> precise installation (= per-JumpLoop-bytecode) we no longer
> have the problem of 'getting unlucky' with JumpLoop/cache entry
> mismatches. Execution has moved on while compiling? Simply spawn
> a new concurrent compile job.
> - Remove the synchronous (non-OSR) Turbofan compile request now
> that we always enter available OSR code as early as possible.
> - Tiering into Sparkplug no longer messes with OSR state.
>
> Bug: v8:12161
> Change-Id: I0a85e53d363504b7dac174dbaf69c03c35e66700
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3596167
> Commit-Queue: Jakob Linke <jgruber@chromium.org>
> Auto-Submit: Jakob Linke <jgruber@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80147}
Bug: v8:12161
Change-Id: Ib3597cf1d99cdb5d0f2c5ac18e311914f376231d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3606232
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80167}
Make the file names consistent on "shadow-realm" (i.e. singular, with a
dash).
Bug: v8:11989
Change-Id: Id0a6f417fd9b53b9f7ddf9677da7396fa2481af6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3606392
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80164}
This reverts commit 91da38831d.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20arm64%20-%20sim%20-%20pointer%20compression%20-%20builder/21150/overview
Original change's description:
> [osr] Use the new OSR cache
>
> This CL switches over our OSR system to be based on the feedback
> vector osr caches.
>
> - OSRing to Sparkplug is fully separated from OSR urgency. If
> SP code exists, we simply jump to it, no need to maintain an
> installation request.
> - Each JumpLoop checks its dedicated FeedbackVector cache slot.
> If a valid target code object exists, we enter it *without*
> calling into runtime to fetch the code object.
> - Finally, OSR urgency still remains as the heuristic for
> requesting Turbofan OSR compile jobs. Note it no longer has a
> double purpose of being a generic untargeted installation
> request.
>
> With the new system in place, we can remove now-unnecessary
> hacks:
>
> - Early OSR tierup is replaced by the standard OSR system. Any
> present OSR code is automatically entered.
> - The synchronous OSR compilation fallback is removed. With
> precise installation (= per-JumpLoop-bytecode) we no longer
> have the problem of 'getting unlucky' with JumpLoop/cache entry
> mismatches. Execution has moved on while compiling? Simply spawn
> a new concurrent compile job.
> - Remove the synchronous (non-OSR) Turbofan compile request now
> that we always enter available OSR code as early as possible.
> - Tiering into Sparkplug no longer messes with OSR state.
>
> Bug: v8:12161
> Change-Id: I0a85e53d363504b7dac174dbaf69c03c35e66700
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3596167
> Commit-Queue: Jakob Linke <jgruber@chromium.org>
> Auto-Submit: Jakob Linke <jgruber@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80147}
Bug: v8:12161
Change-Id: I4a6955f4f20b6f3b13e98d5600c7c6a5205915bc
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3605608
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Owners-Override: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80148}
This CL switches over our OSR system to be based on the feedback
vector osr caches.
- OSRing to Sparkplug is fully separated from OSR urgency. If
SP code exists, we simply jump to it, no need to maintain an
installation request.
- Each JumpLoop checks its dedicated FeedbackVector cache slot.
If a valid target code object exists, we enter it *without*
calling into runtime to fetch the code object.
- Finally, OSR urgency still remains as the heuristic for
requesting Turbofan OSR compile jobs. Note it no longer has a
double purpose of being a generic untargeted installation
request.
With the new system in place, we can remove now-unnecessary
hacks:
- Early OSR tierup is replaced by the standard OSR system. Any
present OSR code is automatically entered.
- The synchronous OSR compilation fallback is removed. With
precise installation (= per-JumpLoop-bytecode) we no longer
have the problem of 'getting unlucky' with JumpLoop/cache entry
mismatches. Execution has moved on while compiling? Simply spawn
a new concurrent compile job.
- Remove the synchronous (non-OSR) Turbofan compile request now
that we always enter available OSR code as early as possible.
- Tiering into Sparkplug no longer messes with OSR state.
Bug: v8:12161
Change-Id: I0a85e53d363504b7dac174dbaf69c03c35e66700
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3596167
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80147}
This introduces an AssemblerBufferCache class which will (later) cache
the backing store of AssemblerBuffers. This is needed for PKU-protected
assembler buffers, which are expensive to allocate and deallocate.
For now, the AssemblerBufferCache does not do any caching, this will be
added in a follow-up CL.
R=thibaudm@chromium.org
Bug: v8:12809
Change-Id: I4a7ccff49c9930584a9fcda8899cfe38cfc61419
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3593136
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80145}
TurboShaft is a new, CFG-based IR for TurboFan.
This CL adds the basic IR and bidirectional translation from/to
TurboFan's sea-of-nodes-based IR for some common operators (still
incomplete even for JS).
Bug: v8:12783
Change-Id: I162fdf10d583a9275a9f655f5b44b888faf813f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3563562
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80136}
Reason for reland: Fixed Fuchsia build.
Original change's description:
> [builtins] Remap builtins on Linux
>
> This is a CL similar to
> https://chromium-review.googlesource.com/c/v8/v8/+/3553006, but on Linux
> rather than macOS. The goal is to allow builtins to use short builtin
> calls without paying a memory cost, by remapping rather than copying
> them.
>
> However, while macOS has a system call making this easier, on Linux we
> don't have one on most kernels. There is the recently-introduced
> mremap(MREMAP_DONTUNMMAP), which is available in 5.7, but only works on
> anonymous mappings until 5.13, which is too recent for most Android
> devices.
>
> Instead, we open() the file containing the builtins, and mmap() it at
> the desired location.
>
> Change-Id: I4524f349948b8f48c4536cf392a1cd179662a6cc
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3570426
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jakob Linke <jgruber@chromium.org>
> Commit-Queue: Benoit Lize <lizeb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80022}
Change-Id: I0cc8cf510bd2cb8621130bea8406d79aa209948c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3596164
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Benoit Lize <lizeb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80049}
This reverts commit b1dd828707.
Reason for revert: Breaking fuschia build https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Fuchsia%20-%20builder/13592/overview
Original change's description:
> [builtins] Remap builtins on Linux
>
> This is a CL similar to
> https://chromium-review.googlesource.com/c/v8/v8/+/3553006, but on Linux
> rather than macOS. The goal is to allow builtins to use short builtin
> calls without paying a memory cost, by remapping rather than copying
> them.
>
> However, while macOS has a system call making this easier, on Linux we
> don't have one on most kernels. There is the recently-introduced
> mremap(MREMAP_DONTUNMMAP), which is available in 5.7, but only works on
> anonymous mappings until 5.13, which is too recent for most Android
> devices.
>
> Instead, we open() the file containing the builtins, and mmap() it at
> the desired location.
>
> Change-Id: I4524f349948b8f48c4536cf392a1cd179662a6cc
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3570426
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jakob Linke <jgruber@chromium.org>
> Commit-Queue: Benoit Lize <lizeb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80022}
Change-Id: I0093fe84216f8c8fd1a8691c53817e578d92fa40
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3594009
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Owners-Override: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80028}
This is a CL similar to
https://chromium-review.googlesource.com/c/v8/v8/+/3553006, but on Linux
rather than macOS. The goal is to allow builtins to use short builtin
calls without paying a memory cost, by remapping rather than copying
them.
However, while macOS has a system call making this easier, on Linux we
don't have one on most kernels. There is the recently-introduced
mremap(MREMAP_DONTUNMMAP), which is available in 5.7, but only works on
anonymous mappings until 5.13, which is too recent for most Android
devices.
Instead, we open() the file containing the builtins, and mmap() it at
the desired location.
Change-Id: I4524f349948b8f48c4536cf392a1cd179662a6cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3570426
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Benoit Lize <lizeb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80022}
AtomicWord will either alias Atomic32 or Atomic64, depending on the
platform. By slightly changing the definition to encode this directly
instead of relying on intptr_t, we can get rid of a number of
compatibility helpers that cast between pointers to equally sized
atomics.
R=mlippautz@chromium.org
Bug: v8:12425
Change-Id: I04e8433cba5af8cf398d75d7832b84680109cf8b
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3586988
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80017}
This is a reland of commit 4d8e1846a7
One of the Mac arm64 bots failed to link an exported thread_local
static variable (crbug/1316800).
Original change's description:
> [rwx][mac] Introduce RwxMemoryWriteScope
>
> ... as a single bottleneck that encapsulates the semantics and
> implementation of fast per-thread W^X permission switching supported
> by Apple Silicon (arm64 M1).
> On other architectures this class is a no-op.
>
> Bug: v8:12797
> Change-Id: Ica842ff9f843e20b7f61fd7e80591e7a1fd29771
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3586986
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79994}
Bug: v8:12797
Change-Id: Ifbd15c233bb343f11daa89b1328b5bf65c4806f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3591332
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80011}
This reverts commit 4d8e1846a7.
Reason for revert: Blocks V8 roll, crbug.com/1316800
Original change's description:
> [rwx][mac] Introduce RwxMemoryWriteScope
>
> ... as a single bottleneck that encapsulates the semantics and
> implementation of fast per-thread W^X permission switching supported
> by Apple Silicon (arm64 M1).
> On other architectures this class is a no-op.
>
> Bug: v8:12797
> Change-Id: Ica842ff9f843e20b7f61fd7e80591e7a1fd29771
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3586986
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79994}
Bug: v8:12797
Change-Id: I81792567839e72b4147d009c0845b0c0de003eb0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3590752
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Owners-Override: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80007}
... as a single bottleneck that encapsulates the semantics and
implementation of fast per-thread W^X permission switching supported
by Apple Silicon (arm64 M1).
On other architectures this class is a no-op.
Bug: v8:12797
Change-Id: Ica842ff9f843e20b7f61fd7e80591e7a1fd29771
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3586986
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79994}
Tracer scopes are used in numerous places in src/heap to track time
spent during various phases of the garbage collection. Usually, they
are introduced with the TRACE_GC* family of macros, taking the scope
identifier as a parameter. At most call sites, the scope identifier is
known at compile time.
This CL inlines the constructor and destructor of GCTracer::Scope, in
order to enable the C++ compiler to properly optimize the introduction
of such scopes when the scope identifier is known at compile time,
using constant propagation. This is expected to have a performance
impact for short-lived and frequently used scopes, e.g., in incremental
marking and sweeping steps.
Change-Id: I6f1a2954a437de1fa6dab5e464c20c952d84ffd4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3581774
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79957}
It currently only checks if the node inputs are expected to be
tagged or untagged.
Bug: v8:7700
Change-Id: Ibf068098dfb08c28b2744cb321fa857572998948
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3578804
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79945}
The external code space is required for the sandbox, so enable it on
Android to be able to enable the sandbox there as well in the future.
Bug: v8:11880
Change-Id: Ic7ba29c77affc3e0e83c8a93f2f6f53b3c72b8e8
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3578799
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79924}
This is a reland of commit 1f0d7d2072
The fix merges concurrent marking tasks when marking in the atomic
pause. Without the fix, Oilpan markers would continue running
concurrently, possibly discovering new V8 objects. This violates the
assumption that the final transitive closure runs on a single thread.
Original change's description:
> cppgc-js: Concurrently process v8::TracedReference
>
> Adds concurrent marking for reaching through v8::TracedReference.
> Before this CL, a v8::TracedReference would always be processed on the
> main thread by pushing a callback for each encountered reference.
>
> This CL now wires up concurrent handling for such references. In particular:
> - Global handles are already marked as well and not repurposed during
> the same GC cycle.
> - Since global handles are not repurposed, it is enough to
> double-deref to the V8 object, checking for possible null pointers.
> - The bitmap for global handle flags is mostly non-atomic, with the
> markbit being the exception.
> - Finally, all state is wired up in CppHeap. Concurrent markers keep
> their own local worklist while the mutator marker directly pushes to
> the worklist owned by V8.
>
> Bug: v8:12600
> Change-Id: Ia67dbd18a57dbcccf4dfb9ccfdb9ee438d27fe71
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516255
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79736}
Bug: v8:12600
Change-Id: I8545041b2c7b3daf7ecea7e3a100e27534e9b8b5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3571887
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79919}
This is a reland of commit c482a66bd7
Original change's description:
> Enable PAC and BTI for runtime generated code.
>
> This patch enables PAC and BTI for runtime generated code when PAC
> is enabled. Additional BTI landing pads will resolve to NOOP when
> running on non BTI device and will not cause functional problems.
>
> Change-Id: I3993481df2c3c47e3e81bfb76a8c355f642cd572
> Bug: chromium:919548, v8:10026
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3548457
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Andre Kempe <andre.kempe@arm.com>
> Cr-Commit-Position: refs/heads/main@{#79630}
Bug: chromium:919548, chromium:1310642, v8:10026
Change-Id: I5f76705a222b5f4fbc07cf472c02e9b58b5171fb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3579164
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Andre Kempe <andre.kempe@arm.com>
Cr-Commit-Position: refs/heads/main@{#79895}
Change the unittest runner to no longer uncondtionally set up a default
platform in the "environment", but to instead make platform set-up part
of the "mixin" framework for test fixtures.
Requires modifying some tests that expect the platform to be available,
and all flag implications resolved, before the mixin constructors run.
We still keep the environment for setting up the process for cppgc. This
process setup can only be done once per process, so it can no longer use
the platform -- that's ok though, the page allocator used by cppgc's
process initialisation doesn't have to be the same as the platform's so
we can just pass in a separate new one.
Change-Id: Ic8ccf39722e8212962c5bba87350c4b304388a7c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3571886
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79820}
This reverts commit 1f0d7d2072.
Reason for revert: Speculative revert for roll failures in https://chromium-review.googlesource.com/c/chromium/src/+/3569445
Original change's description:
> cppgc-js: Concurrently process v8::TracedReference
>
> Adds concurrent marking for reaching through v8::TracedReference.
> Before this CL, a v8::TracedReference would always be processed on the
> main thread by pushing a callback for each encountered reference.
>
> This CL now wires up concurrent handling for such references. In particular:
> - Global handles are already marked as well and not repurposed during
> the same GC cycle.
> - Since global handles are not repurposed, it is enough to
> double-deref to the V8 object, checking for possible null pointers.
> - The bitmap for global handle flags is mostly non-atomic, with the
> markbit being the exception.
> - Finally, all state is wired up in CppHeap. Concurrent markers keep
> their own local worklist while the mutator marker directly pushes to
> the worklist owned by V8.
>
> Bug: v8:12600
> Change-Id: Ia67dbd18a57dbcccf4dfb9ccfdb9ee438d27fe71
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516255
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79736}
Bug: v8:12600
Change-Id: I8a91dcd6880580207bf8d315b264edbe42a794e5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3568474
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79778}
cr_fuchsia_package is deprecated in favor of using the Fuchsia
SDK provided rules directly.
This CL adds a cmx file specifically for v8_unittests. CMX
files define fuchsia components, see
https://chromium-review.googlesource.com/c/chromium/src/+/3529652
for more info.
Bug: chromium:1092804
Change-Id: Ibf1d866ec6b94a0e1a7a7c7c443a6ee80e3b1042
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3537885
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Wez <wez@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Bryant Chandler <bryantchandler@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79760}
Adds concurrent marking for reaching through v8::TracedReference.
Before this CL, a v8::TracedReference would always be processed on the
main thread by pushing a callback for each encountered reference.
This CL now wires up concurrent handling for such references. In particular:
- Global handles are already marked as well and not repurposed during
the same GC cycle.
- Since global handles are not repurposed, it is enough to
double-deref to the V8 object, checking for possible null pointers.
- The bitmap for global handle flags is mostly non-atomic, with the
markbit being the exception.
- Finally, all state is wired up in CppHeap. Concurrent markers keep
their own local worklist while the mutator marker directly pushes to
the worklist owned by V8.
Bug: v8:12600
Change-Id: Ia67dbd18a57dbcccf4dfb9ccfdb9ee438d27fe71
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516255
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79736}
This is a reland of commit e76ad5c6d9
Changes compared to original:
- Move invocation of LAZY_INSTANCE_INITIALIZER to a static global
variable, as some builds were failing with a function-level static.
- Drive-by: Improve documentation a bit.
Original change's description:
> [wasm-gc] Implement isorecursive canonicalization
>
> This implements isorecursive canonicalization for static types.
>
> Not implemented in this CL:
> - Runtime type canonicalization.
> - Cross-module signature canonicalization for purposes of call_indirect.
>
> Bug: v8:7748
> Change-Id: I6214f947444eea8d7b15a29b35c94c3d07ddb525
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3541925
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79665}
Bug: v8:7748
Change-Id: I493fba1906491762f7d8bae50108e3e4a743391d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3560480
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79692}
This implements isorecursive canonicalization for static types.
Not implemented in this CL:
- Runtime type canonicalization.
- Cross-module signature canonicalization for purposes of call_indirect.
Bug: v8:7748
Change-Id: I6214f947444eea8d7b15a29b35c94c3d07ddb525
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3541925
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79665}
This reverts commit c482a66bd7.
Reason for revert: causes crashes in ChromeOS/MSAN builds:
https://crbug.com/1310642
Original change's description:
> Enable PAC and BTI for runtime generated code.
>
> This patch enables PAC and BTI for runtime generated code when PAC
> is enabled. Additional BTI landing pads will resolve to NOOP when
> running on non BTI device and will not cause functional problems.
>
> Change-Id: I3993481df2c3c47e3e81bfb76a8c355f642cd572
> Bug: chromium:919548, v8:10026
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3548457
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Andre Kempe <andre.kempe@arm.com>
> Cr-Commit-Position: refs/heads/main@{#79630}
Bug: chromium:919548, v8:10026, chromium:1310642
Change-Id: I564efa5327ae038a7b5fb69b416300afebe2cd74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3556706
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79644}
This patch enables PAC and BTI for runtime generated code when PAC
is enabled. Additional BTI landing pads will resolve to NOOP when
running on non BTI device and will not cause functional problems.
Change-Id: I3993481df2c3c47e3e81bfb76a8c355f642cd572
Bug: chromium:919548, v8:10026
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3548457
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Andre Kempe <andre.kempe@arm.com>
Cr-Commit-Position: refs/heads/main@{#79630}
The code is dead since migrating to jobs API.
Change-Id: Icdcc3523ffe5830ef5851cf4ea86e579841f543c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540103
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79573}
This is a reland of 6b690a6b48.
The previous version of this CL was a bit too aggressive in the
duplication of branch conditions. This caused an increase in
register pressure in some cases, thus reducing performance.
In fact, duplicating branch conditions that require an "== 0" to be
added provides no benefits. We are thus now a bit less aggressive, and
only duplicate comparisons.
Original change's description:
> Reland [compiler] Simplify "==0" branches in MachineOperatorReducer
>
> This is a reland of 48b443f692.
>
> While fixing the initial CL, we stumbled upon a few bugs that
> we had to fix:
>
> - CommonOperatorReducer and SimplifiedOperatorReducer were applied
> before and after SimplifiedLowering, but always assumed that it
> was before SimplifiedLowering, and thus had the wrong semantics
> for branches in some cases. They now have an added parameter to
> know which semantics of branch they should use.
>
> - The lowering of StaticAssert was wrong and could leave kHeapConstant
> in the assert (instead of machine Booleans).
>
> Original change's description:
> > [compiler] Simplify "==0" branches in MachineOperatorReducer
> >
> > Bug: v8:12484
> > Change-Id: I0667c7464c0dd71338bc199a24a69248a7a0a525
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497303
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Owners-Override: Tobias Tebbi <tebbi@chromium.org>
> > Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#79379}
>
> Bug: v8:12484
> Change-Id: Ibbf5df96fce5ccb04868dc517539479bf69f5703
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516869
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79528}
Bug: v8:12484
Change-Id: I31f575a59811a83c7c1acb4c14bf5ded63a8f536
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540102
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79560}
This reverts commit 6b690a6b48.
Reason for revert: causes a few regressions here https://chromeperf.appspot.com/group_report?rev=79528
Original change's description:
> Reland [compiler] Simplify "==0" branches in MachineOperatorReducer
>
> This is a reland of 48b443f692.
>
> While fixing the initial CL, we stumbled upon a few bugs that
> we had to fix:
>
> - CommonOperatorReducer and SimplifiedOperatorReducer were applied
> before and after SimplifiedLowering, but always assumed that it
> was before SimplifiedLowering, and thus had the wrong semantics
> for branches in some cases. They now have an added parameter to
> know which semantics of branch they should use.
>
> - The lowering of StaticAssert was wrong and could leave kHeapConstant
> in the assert (instead of machine Booleans).
>
> Original change's description:
> > [compiler] Simplify "==0" branches in MachineOperatorReducer
> >
> > Bug: v8:12484
> > Change-Id: I0667c7464c0dd71338bc199a24a69248a7a0a525
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497303
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Owners-Override: Tobias Tebbi <tebbi@chromium.org>
> > Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#79379}
>
> Bug: v8:12484
> Change-Id: Ibbf5df96fce5ccb04868dc517539479bf69f5703
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516869
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79528}
Bug: v8:12484
Change-Id: I457464d793e9c5af8448564aa3b46be863b96fbb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540148
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79552}
This CL removes:
- Dynamic map checks aka minimorphic property loads (TF support,
builtins).
- "Bailout" deopts (= drop to the interpreter once, but don't
throw out optimized code).
- "EagerWithResume" deopts (= part of dynamic map check
functionality, we call a builtin for the deopt check and deopt
or resume based on the result).
Fixed: v8:12552
Change-Id: I492cf1667e0f54586690b2f72a65ea804224b840
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3401585
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79544}
This is a reland of 48b443f692.
While fixing the initial CL, we stumbled upon a few bugs that
we had to fix:
- CommonOperatorReducer and SimplifiedOperatorReducer were applied
before and after SimplifiedLowering, but always assumed that it
was before SimplifiedLowering, and thus had the wrong semantics
for branches in some cases. They now have an added parameter to
know which semantics of branch they should use.
- The lowering of StaticAssert was wrong and could leave kHeapConstant
in the assert (instead of machine Booleans).
Original change's description:
> [compiler] Simplify "==0" branches in MachineOperatorReducer
>
> Bug: v8:12484
> Change-Id: I0667c7464c0dd71338bc199a24a69248a7a0a525
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497303
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Owners-Override: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79379}
Bug: v8:12484
Change-Id: Ibbf5df96fce5ccb04868dc517539479bf69f5703
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516869
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79528}
This CL implements most parts of the concurrent maglev pipeline.
- MaglevConcurrentDispatcher: controls concurrent jobs.
- MaglevCompilationInfo: holds job-global data, controls handle
fiddling between the main isolate and local isolates, owns
job-global state like the Zone.
- MaglevCompilationUnit: same as before, holds per-unit data.
Still missing: job finalization.
Bug: v8:7700
Change-Id: I281178d945e79a0ba97fa2ac7023285d84a16641
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516036
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79489}
Modernise the RegList interface to be a proper class, rather than a
typedef to an integer, and add proper methods onto it rather than ad-hoc
bit manipulation.
In particular, this makes RegList typesafe, adding a DoubleRegList for
DoubleRegisters.
The Arm64 CPURegList isn't updated to use (or extend) the new RegList
interface, because of its weird type-erasing semantics (it can store
Registers and VRegisters). Maybe in the future we'll want to get rid of
CPURegList entirely and use RegList/DoubleRegList directly.
Change-Id: I3cb2a4d386cb92a4dcd2edbdd3fba9ef71f354d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516747
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79460}
Instead of using the high water mark for determining this metric, we use
a bitset for all active/used system pages on a V8 heap page. Each time
when allocating a LAB on a page, we add the pages of that memory range
to that bitset. During sweeping we rebuild that bitset from scratch and
replace it with the old one in case free pages are discarded by the GC.
We DCHECK here that the sweeper only ever removes pages. This has the
nice benefit of ensuring that we don't miss any allocations (like we
do now for concurrent allocations).
CommittedPhysicalMemory for a page is then calculated by counting the
set bits in the bitset and multiplying it with the system page size.
This should be simpler to verify and track the "real" effective size
more precisely.
One case where we are partially less precise than the current
implementation is for LABs. In order to reduce complexity we now treat
all pages of a LAB allocation as active immediately. In the current
implementation we tried to only account the actual used part of the LAB
when changing the LAB later. This is more complex to track correctly
but also doesn't account the currently used LAB in effective size.
Change-Id: Ia83df9ad5fbb852f0717c4c396b5074604bd21e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497363
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79428}
This rename better reflects that heap_base is both used in cppgc but
also V8's GC.
Bug: v8:12691
Change-Id: Ia18ecba462d1b55cee6722452ceb28b25490a066
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3506374
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79398}
Currently ClobberDoubleRegisters is implemented in C++ and is
not guaranteed to clobber all registers. Rewritten in assembly
to clobber all double registers
Bug: v8:11798
Change-Id: I11c09bd247c929d251e6e509ea5cc76b9981ea98
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3490715
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79380}
A dispatcher that currently does nothing, installed on the Isolate.
The implementation is close to the baseline concurrent compiler; but
boilerplate is short enough that a common base class is not worth the
additional complexity.
Bug: v8:7700
Change-Id: Ia34781e24cb6b1f72e5560fb0afe107bb0486092
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497690
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79353}
The utility type is independent of V8 and useful for cppgc as well.
Move to base/ to allow reusing.
Change-Id: I9de9b4a87bb113fb4c2232d90253afb0f38faa68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497336
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79346}
Store the free registers as a RegList rather than stack of Register
values. This allows us to simplify some of the register freeing logic,
including passing the current free set to nodes for use as temporaries.
Drive-by: Replace ALWAYS_ALLOCATABLE_GENERAL_REGISTERS with
ALLOCATABLE_GENERAL_REGISTERS, which is the more general list (the former
is an implementation detail for optionally reserving a register for
the cage register).
Bug: v8:7700
Change-Id: I666e9a7547c2f4f4e578fbcbb4bd3fe3cb06dac5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497767
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79344}
- Add a comment on the macro that registers a prefinalizer.
- Refactor the API to avoid exposing internal types needlessly.
Change-Id: Ia88e786304616848556263410a8f5398c5374533
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497766
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79334}
The per-Isolate Symbol tables are implemented using NameDictionary
before, which has additional property details overhead
And NameDictionary is limited to 2^23, which limits the Symbol
tables to be a maximum of 2^23.
- replace NameDictionary with SymbolTable in isolate
Bug: v8:12575
Change-Id: Ica4f05aac3494f7dfa3a074c240d4ba25df814e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3476897
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79285}
This CL introduces an additional verification pass at the end of
SimplifiedLowering. The verification checks consistency of the lowered
graph with respect to node types under the effect of used truncations.
Typing of additional, lower level nodes is required and added in this
CL.
The verification pass can be enabled using --verify-simplified-lowering.
Bug: v8:12619, v8:11682
Change-Id: I21e7ebcf40153e53108ddfad2a871c7cbd61a085
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452029
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79264}
Maglev is mid-tier optimising compiler designed mainly for compilation
speed that can still generate good code for straightforward JS.
This initial commit is an MVP for Maglev which can compile and run some
very simple code, and sets up a framework that we can build upon.
Design:
https://docs.google.com/document/d/13CwgSL4yawxuYg3iNlM-4ZPCB8RgJya6b8H_E2F-Aek/edit#
Bug: v8:7700
Change-Id: I5ae074ae099126c2c0d50864ac9b3d6fa5c9e85a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3483664
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79247}
This is a reland of dec62c2d0f
Revert was not necessary as test was independently flaking.
Original change's description:
> heap: Factor out raw allocation functions into HeapAllocator
>
> This CL is mostly mechanic and provides runtime and static
> dispatch for allocation of objects using HeapAllocator.
>
> Future CLs will remove the Heap bottelenecks.
>
> Bug: v8:12615
> Change-Id: Id2becf7da4bd5273f96abc0e1a4ac6c04bddb1cb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3474674
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79229}
Bug: v8:12615
Change-Id: I505ebde7afd2b0d03e11ef4cbcf1d4d09c6826a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3484322
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79236}
This CL is mostly mechanic and provides runtime and static
dispatch for allocation of objects using HeapAllocator.
Future CLs will remove the Heap bottelenecks.
Bug: v8:12615
Change-Id: Id2becf7da4bd5273f96abc0e1a4ac6c04bddb1cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3474674
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79229}
This is a reland of 1025bf26e3
Changes since revert:
- TSAN issue fixed by https://crrev.com/c/3475084
- Skip the shared-struct-workers test until shared GC deadlock is fixed,
being tracked in v8:12645
Original change's description:
> [shared-struct] Prototype JS shared structs
>
> Unlike the Stage 1 proposal, for simplicity the prototype does not add
> any new syntax, instead opting for exposing a SharedStructType
> constructor which takes an array of field names. This type constructor
> returns constructors for shared structs.
>
> Shared structs can be shared across Isolates, are fixed layout, have no
> prototype, have no .constructor, and can only store primitives and
> other shared structs.
>
> The initial prototype does not have TurboFan support.
>
> Bug: v8:12547
> Change-Id: I23bdd819940b42139692bcdb53d372099b0d4426
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3390643
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79156}
Bug: v8:12547
Change-Id: Ic1f5cf9fa9791ae2d5d5dc7c110614ca10b5d98e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3475078
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79215}
This CL refactors all remembered set logic from heap-base and
explicit-management to a new class OldToNewRememberedSet.
Bug: chromium:1029379
Change-Id: Id032b9dcc01af6f9bb9e546ed9bc6324da6d9b66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3472498
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79212}
It has been deprecated for a couple of years and there is no evidence of
anybody still using it.
Change-Id: I454f2f718aa50c295b29faf62cd0313a5e6e97d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3417495
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#79177}
This reverts commit 1025bf26e3.
Reason for revert: https://crbug.com/v8/12645
Original change's description:
> [shared-struct] Prototype JS shared structs
>
> Unlike the Stage 1 proposal, for simplicity the prototype does not add
> any new syntax, instead opting for exposing a SharedStructType
> constructor which takes an array of field names. This type constructor
> returns constructors for shared structs.
>
> Shared structs can be shared across Isolates, are fixed layout, have no
> prototype, have no .constructor, and can only store primitives and
> other shared structs.
>
> The initial prototype does not have TurboFan support.
>
> Bug: v8:12547
> Change-Id: I23bdd819940b42139692bcdb53d372099b0d4426
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3390643
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79156}
Bug: v8:12547
Change-Id: I44f2b8bb7487b4d39ba1282585e0b2282501230f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3474676
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79170}
Previously, V8_OS_MACOSX was, somewhat confusingly, also used for iOS.
With this CL, V8_OS_DARWIN will be set on both macOS and iOS,
V8_OS_MACOS only on macOS, and V8_OS_IOS only on iOS.
This CL also renames V8_TARGET_OS_MACOSX to V8_TARGET_OS_MACOS and
renames platform-xnu.cc to platform-darwin.cc.
Change-Id: I4bcafc7c337586662114144f6c7ccf47d978da1f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468577
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79167}
Unlike the Stage 1 proposal, for simplicity the prototype does not add
any new syntax, instead opting for exposing a SharedStructType
constructor which takes an array of field names. This type constructor
returns constructors for shared structs.
Shared structs can be shared across Isolates, are fixed layout, have no
prototype, have no .constructor, and can only store primitives and
other shared structs.
The initial prototype does not have TurboFan support.
Bug: v8:12547
Change-Id: I23bdd819940b42139692bcdb53d372099b0d4426
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3390643
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79156}
The new shared memory API should only be used on macOS, but
platform-macos.cc was also included on iOS, causing build failures. This
CL splits platform-macos.cc into platform-xnu.cc (common code for macOS
and iOS) and platform-macos.cc (the macOS specific parts)
Bug: chromium:1218005
Change-Id: Iab332865ffd8990ddd246bb9c08802909464d7e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468895
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79131}
The flag is required to allow passing in more debug information when
necessary.
Change-Id: I34e407ba57786c242aac8b6f6af258969de43efd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468894
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79126}
These should not be allowed inside the sandbox as they could be
corrupted by an attacker, thus posing a security risk. Furthermore,
executable pages require MAP_JIT on macOS, which causes fork() to become
excessively slow, in turn causing tests to time out.
Due to this, the sandbox now requires the external code space.
In addition, this CL adds a max_page_permissions member to the
VirtualAddressSpace API to make it possible to verify the maximum
permissions of a subspace.
Bug: v8:10391
Change-Id: Ib9562ecff6f018696bfa25143113d8583d1ec6cd
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460406
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79119}
LocalAllocator was already renamed to EvacuationAllocator some time ago.
Rename files now as well.
Bug: v8:10315
Change-Id: I337f693998aaf5187a5ba05842cdb2474837b68d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3463719
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79104}
.. to resolve the overloaded 'runtime' term and overall pick a more
meaningful name for this class. It's neither very related to runtime
(instead it's called periodically when the bytecode interrupt budget is
exhausted); nor is profiling its main purpose.
This class is responsible for controlling tiering decisions, hence the
new name 'TieringManager'.
Bug: v8:7700
Change-Id: Id6f1edf4ebe016d0d81903d0a13e0e1fe6e02142
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3463716
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79101}
Allows separating out the allocator from Heap without requiring a
heap.h include.
Drive-by:
- Rename "Retry" to "Failure".
- Avoid implicit constructors.
- Rename "RetrySpace" to "GarbageCollectionSpace" which is its only
use.
Bug: v8:12615
Change-Id: Idac17cded8f0b2b645a2be9045ab31ffd71999b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3456562
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79063}
The build flag is on by default and the actual functionality is guarded
by a runtime flag.
Bug: v8:12612
Change-Id: I6adbd5b766f502400af32eeeb035edca3a3606ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448383
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79036}
After https://crrev.com/c/3416191 there are too many mixed concerns in
the clusterfuzz directory. We split it into js-fuzzer, foozzie and
trials.
Change-Id: I9a21ee83985e6113d77acba4583e99df88723c60
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3443505
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Almothana Athamneh <almuthanna@chromium.org>
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78981}
The web app owner who notified me about bugs v8:12112 and v8:12126 asked
me a reasonable question: "how am I ever supposed to trust the retaining
paths in the devtools, if the heap snapshot is generated by a different
component than the actual marking code?". This change is my attempt to
answer that question. If verification is enabled, the heap snapshot
generator will visit each heap object with a realistic marking visitor
to find all references from that object. It will then check that those
references match the HeapGraphEdges in the snapshot.
I also considered the idea that we could collect retaining information
during the last GC cycle before taking the heap snapshot, or during an
extra GC cycle immediately after. However, running the full GC provides
the embedder with the opportunity to run arbitrary code (including JS)
both before and after PerformGarbageCollection, so there is no clear
guarantee that the heap state during the snapshot actually matches the
heap state during marking.
Bug: v8:12112, v8:12126
Change-Id: Id29e75ecf9eee19e35daedbdb4a3e1df64785380
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3299590
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#78952}
Replacement is v8::TracedReference in combination with v8::Global if a
callback is really needed.
Bug: v8:12603
Change-Id: Iae48fee2e6588a594d430c5f3a71ff0b3e67e5b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3439873
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78950}
This is a reland of 517ed4ad00
Original change's description:
> Reland "[Torque] Generalize Torque literals to larger size"
>
> Previously, literals in Torque were stored as double values, which
> made it impossible to precisely represent 64 bit integer values.
> This CL replaces the old literal expression with an integer and
> floating point literal expression that are unbounded in size. We
> allow implicit conversion of these literals to arbitary integer
> and floating point types respectively and insert a corresponding
> bounds check into generated CSA.
>
> Changes in the reland: Simplified IntegerLiteral to single digit.
>
> Bug: v8:7793, chromium:1289282
> Change-Id: I31c762c2f31165c7a1d0b07842b764e5851ce189
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3406750
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#78811}
Bug: v8:7793, chromium:1289282
Change-Id: I7aadc4d2c9494f03eae85e94949c8f4cab7a075c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3437047
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78939}
The CL does following:
1) Makes sure young generation works and tests pass;
2) Provides CollectGarbageInYoungGenerationForTesting() that is needed
to support remaining tests in Blink;
3) Moved cppgc_enable_young_generation GN flag to v8.gni to refer to it
from Blink;
4) Bails out from marking TracedReferences in UnifiedHeapMarkingState;
5) Disables (temporarily) prompt freeing for young generation;
6) Fixes remembered set visitation for nullptr|kSentinel slots.
Bug: chromium:1029379
Change-Id: I5165fa22c8a0eaa708ef7a35a9978cb12e1cb13e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3429202
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78901}
Previously, when accessing SandboxedPointer fields with the sandbox
disabled, we would always do a ReadUnalignedValue/WriteUnalignedValue.
However, that is only necessary when pointer compression is enabled.
Otherwise, the field will be properly aligned.
This CL also factors out the logic to determine when to use an unaligned
or aligned read/write for a field into two new helper functions.
Bug: chromium:1292669
Change-Id: I2c1af187c5b2699101c3fee9cc551be788d3a845
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3429200
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78887}
- Adds a GN flag to enable the feature
- Adds facets to manifest used by d8/unittests
- Adds some DCHECKS
- Uses zx_handle_t type to avoid global initialization/destructor
Bug: v8:11232
Change-Id: Ibd7766abefbf8c213393cf6365c34f9ff4e6ed7d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3420828
Reviewed-by: Wez <wez@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78886}
This is a reland #3. The fixes were landed separately.
Perf Sheriffs: this CL might regress some benchmarks while improving
the others.
Bug: v8:11880
Change-Id: I8ed5bf59360649718960dc34c06015ee6ff1532a
Cq-Include-Trybots: luci.v8.try:v8_android_arm64_compile_dbg
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3422643
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78854}
We can now specify the trials for clusterfuzz using the file
clusterfuzz_trials_config.json. There is also a presubmit check
to make sure that it is formatted correctly.
Change-Id: Iafb7063b63b1daeb7653830542d13b419cf187d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3416191
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78848}
This reverts commit 517ed4ad00.
Reason for revert: There still seems to be an issue on V8 Win msvc related to this CL (https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Win64%20-%20msvc/20568/overview).
Original change's description:
> Reland "[Torque] Generalize Torque literals to larger size"
>
> Previously, literals in Torque were stored as double values, which
> made it impossible to precisely represent 64 bit integer values.
> This CL replaces the old literal expression with an integer and
> floating point literal expression that are unbounded in size. We
> allow implicit conversion of these literals to arbitary integer
> and floating point types respectively and insert a corresponding
> bounds check into generated CSA.
>
> Changes in the reland: Simplified IntegerLiteral to single digit.
>
> Bug: v8:7793, chromium:1289282
> Change-Id: I31c762c2f31165c7a1d0b07842b764e5851ce189
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3406750
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#78811}
Bug: v8:7793, chromium:1289282
Change-Id: I818cec9625fbd827a4a30088d8c8b759fb6c50d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3424484
Owners-Override: Nico Hartmann <nicohartmann@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78847}
Drive-by fix to align what builds the test runner considers to be able
to have shared memory features and what builds can create a shared
Isolate.
Bug: v8:12007
Change-Id: I151513ccbfbee31e5b35c5ce8e9192732eabfee2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3421507
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78824}
This is a reland #2. The fixes were landed separately.
Perf Sheriffs: this CL might regress some benchmarks while improving
the others.
Bug: v8:11880
Change-Id: I397aef5ad5cce42ef189ee10b482805c90ec925a
Cq-Include-Trybots: luci.v8.try:v8_android_arm64_compile_dbg
Cq-Include-Trybots: luci.v8.try:v8_linux64_ubsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3417000
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78817}
Previously, literals in Torque were stored as double values, which
made it impossible to precisely represent 64 bit integer values.
This CL replaces the old literal expression with an integer and
floating point literal expression that are unbounded in size. We
allow implicit conversion of these literals to arbitary integer
and floating point types respectively and insert a corresponding
bounds check into generated CSA.
Changes in the reland: Simplified IntegerLiteral to single digit.
Bug: v8:7793, chromium:1289282
Change-Id: I31c762c2f31165c7a1d0b07842b764e5851ce189
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3406750
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78811}
Moves g_root_vmar_base up in the file, so that we have all
the globals together.
Bug: v8:11232
Change-Id: Ic08cdf3399982962de255028be6718951a17aedb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3416249
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78786}
The external pointer table is now managed by the GC, which marks entries
that are alive during major GC, then sweeps the table afterwards to free
all dead entries and build a free list from them. For now, only major GCs
are supported, Scavenger GCs do not interact with the external pointer table.
In more detail, garbage collection of the external pointer table works
as follows:
1. The external pointer table now reserves a large region of virtual
address space for its backing buffer and is then never reallocated,
only grown in place until the maximum size is reached.
2. When the GC's marking visitor marks a HeapObject with an external
pointer as alive, it also marks the corresponding external pointer
table entry as alive. This can happen on a background thread.
3. For that, it uses the MSB of each entry in the table to indicate
whether the entry has been marked or not. This works because the MSB
is always cleared during the AND-based type check performed when
accessing an external pointer.
4. After marking, the external pointer table is swept while the mutator
is stopped. This builds an inline, singly-linked freelist of all
newly-dead and previously-free entries.
5. When allocating an entry from the table, the first entry on the
freelist is used. If the freelist is empty, the table grows,
populating the freelist with the new entries.
6. Every newly-allocated entry is marked as alive, and every store to an
existing entry also automatically marks that entry as alive (by also
setting the MSB). This simplifies the design of the table GC with
regards to concurrency (See ExternalPointerTable::Mark).
Bug: v8:10391
Change-Id: I8877fdf5576af3761bde65298951bb09e601bd14
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3359625
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78708}
This reverts commit 757830b02b.
Reason for revert: Speculatively revert due to a number of
performance regressions
Original change's description:
> [Torque] Generalize Torque literals to larger size
>
> Previously, literals in Torque were stored as double values, which
> made it impossible to precisely represent 64 bit integer values.
> This CL replaces the old literal expression with an integer and
> floating point literal expression that are unbounded in size. We
> allow implicit conversion of these literals to arbitary integer
> and floating point types respectively and insert a corresponding
> bounds check into generated CSA.
>
> Bug: v8:7793
> Change-Id: I46c231aab92bc2f0c26955d1876079f306b358c6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3329792
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#78671}
Bug: v8:7793
Change-Id: I9896e28b3c69b8cf2488bf93e993ec320d8c5d2e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3401866
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78706}
